[tor-relays] easy way to test my exit policy

i've been grumbled at in a way that makes me want to validate my exit policy before dismissing the grumble.

is there any easy way to check that, as a tor client, i can't make an outbound connection from my tor server to a particular port on a particular server? i suppose i'm asking if there's a tor-aware telnet, or equivalent.

how do people test their exit policies?

i've been grumbled at in a way that makes me want to validate my exit
policy before dismissing the grumble.

I don't know exactly what you want to test there. You can see what you have open on tor metrics.
No IP/nftables for outgoing traffic!

My reduced exit policy (SSH only allowed for IPv6) default reject all:

On tor metrics:
https://metrics.torproject.org/rs.html#details/376DC7CAD597D3A4CBB651999CFAD0E77DC9AE8C

ExitPolicy default accept all:

On tor metrics:
https://metrics.torproject.org/rs.html#details/D80F649226CC96BBE0FF7B45B3791901569FE5AC

how do people test their exit policies?

I use https://metrics.torproject.org/
or
http://YOUR.EX.IT.IP/tor/server/authority

That pretty much sums up the problem. I know what my config says I'm doing; I want independent confirmation that the daemon is behaving as advertised.

Spoiler alert: unsurprisingly, it is.

Should anyone else want to do this, the right way (it seems) is to run an instance of tor on a random test box, point that at the exit node to be tested, and use a socks-aware client (on random test box) to generate test traffic via the SOCKS interface on tor whilst using tcpdump (on the exit node) to verify whether packets flow.

On random test client, let's call it "client", force the selection of your exit node in your local torrc, in this case by IP address:

ExitNodes 178.17.171.102

and start tor. On the exit node, let's call it "angband", start tcpdump, looking for traffic to a random test server (let's call it "testserv.example.com"):

angband% sudo tcpdump host testserv.example.com

Then generate test traffic. This is test traffic that ought to be allowed to exit my exit node:

client% nc --proxy 127.0.0.1:9050 --proxy-type socks5 testserv.example.com 80

and here's the tcpdump traffic:

08:28:47.111528 IP angband.teaparty.net.45438 > testserv.example.com.http: Flags [S], seq 1395500093, win 42340, options [mss 1460,sackOK,TS val 3055761411 ecr 0,nop,wscale 12], length 0
08:28:47.173259 IP testserv.example.com.http > angband.teaparty.net.45438: Flags [S.], seq 879943484, ack 1395500094, win 28960, options [mss 1460,sackOK,TS val 4141468305 ecr 3055761411,nop,wscale 7], length 0
08:28:47.173293 IP angband.teaparty.net.45438 > testserv.example.com.http: Flags [.], ack 1, win 11, options [nop,nop,TS val 3055761473 ecr 4141468305], length 0
[...]

Here's test traffic that ought NOT to be allowed to exit my exit node:

client% nc --proxy 127.0.0.1:9050 --proxy-type socks5 testserv.example.com 25

and tcpdump confirms nothing leaves.

Many thanks to those who helped off-list (you know who you are); I'm grateful to everyone that responded.